Common User Management Errors
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
The following table is a list of the most common LDAP Errors encountered when integrating LDAP with Atlassian products. For a product-agnostic list of all LDAP error codes, please see the LDAP Protocol Specification. For product-specific information, please see your product documentation.
Solution
The Bind account referred to by many messages is the username and password that your Atlassian products use to access your LDAP directory.
LDAP Error 1
This is an internal error, and the LDAP Server isn't able to respond with a more specific error. Usually, this indicates an error at the LDAP server, rather than a problem with the request that was made.
Solution
Check the LDAP Server logs and configuration to ensure that it is working free from errors. When a user attempts to log in to an Atlassian application, the server:
Search for the administrative user's DN, using the admin account's credentials from the User Directory configuration.
Binds to LDAP using the DN from step 1.
Searches for the user that is attempting to authenticate.
Attempts to bind as that user using the password provided.
If the bind is successful, that user will have their details synchronized with the target directory.
In this particular case, step 1 is failing. This is usually due to the user's password requiring a reset, the admin is unable to log in or it is not an official administrator for the LDAP engine.
Possible solutions/checks:
Verify the user's password trying to login to the Atlassian application does not require a reset on the next login.
Check that you can log in as that user in another system that is connected to the same LDAP engine.
Ensure that the user configured to bind to the LDAP server is an actual administrator of the LDAP engine (i.e. in an Active Directory they are a member of the Administrator built-in group). If the user is not Administrator, make sure it has read-only access to all directory levels used by your Atlassian application.
a group (or groups) has a name that has two leading spaces. Execute the following query to determine if there are any groups like that, in the specified directory:
select id, group_name from cwd_group where directory_id = '1234567' and group_name like '% %';
Determine which groups have names with leading spaces by running the diagnostic query above
Rename the problematic groups in Active Directory by removing the leading spaces
Restart synchronization
LDAP Error 3
The time limit for an operation (set by the client or server) has been exceeded. If the operation is a search, the results will be incomplete.
Solution
Reaching the timeout is usually a sign that:
the timeout is too short - adjust it by editing your directory and increasing the Search Timeout parameter; or
a result set is too large - adjust filters to reduce the result set
LDAP Error 4
The size limit (set by the client or server) has been exceeded. The results returned will be incomplete.
Solution
Reaching a limit is usually a sign that:
the limit is not appropriate - adjust Paged Results and ensure the Page Size is smaller than the limit in the User Directories Advanced Settings.
Consult with your LDAP/AD System Administrator to see what this number should be set to as it depends on the LDAP/AD server configuration; or
The result set is too large and you could adjust filters to reduce the result set
LDAP Error 8
The Active Directory server has a non-default domain policy set that enforces all LDAP authentication to be secured with SSL.
Solution
LDAP Error 10
A referral must be followed by the client in order to complete the operation.
Solution
Typically, this error is accompanied by
LimitExceededException- Too many referrals were made; usually to a DNS address that does not exist. Ensure that the base DN is correct and free from typographical errors.Ensure that users have correct MemberOf attributes that points to correct groups that are reachable. To test this, change how membership is being defined by unchecking the MemberOf setting in the Membership Schema Attribute Settings. This will list membership by searching through Groups' "Member" attribute instead of searching through Users' "MemberOf" attribute
LDAP Error 12
Sun Directory Server does not support Paged Results which generates an error like:
org.springframework.ldap.OperationNotSupportedException: [LDAP: error code 12 - Unavailable Critical Extension]Solution
Do not use Paged Results in Sun Directory Server. Note that without paged results, you may encounter LDAP error code 4. More discussion has taken place on CONFSERVER-22083 - Assess Sun Directory LDAP server and paged results support for Confluence compatibility .
LDAP Error 17
One of the attributes specified in the configuration settings of your User Directory either in the Group Schema Settings (i.e. User Object Class, User Last Name Attribute etc.) or User Schema Settings (i.e. Group Name Attribute, Group Name Class) sections do not exist in the LDAP server's schema.
Solution
Ensure any attributes referenced in your configuration are correct, and appropriate for users or groups.
LDAP Error 32
There could be many reasons for this issue. Please check the data code in the error message.
Solution
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A,
problem 2001 (NO_OBJECT), data 0, best match of: 'ou=fake, ou=users, o=sevenSeas'];
remaining name 'ou=users, o=sevenSeas'
The data code in the example above is 0 which means that "Defined DN does not exist".
LDAP Error 34
The syntax of the DN is incorrect.
Solution
Ensure your DN is correct; and free from typographical errors. There may also be an invalid character in an attribute of the object - such as name or description. Check the error message to see the attribute that caused the problem.
LDAP Error 49
The bind operation has failed, typically due to a problem with the account.
Solution
Ensure the credentials for the bind account used to connect to the LDAP Server are correct. If you are using Active Directory, refer to the table below about Error 49 in Active Directory.
This can also be caused by not using the FQDN in the Username field at the User Directory configuration. Try changing Username to "user@domain.name"
LDAP Error 50
The LDAP user configured on the client (i.e. JIRA, Confluence etc) does not have sufficient rights to perform the requested operation.
Solution
This error is a permissions configuration issue on the LDAP side. Ensure that the bind account has sufficient privileges to perform the operation requested. If possible, try an account with higher permissions temporarily to isolate the problem.
LDAP Error 53
The LDAP server cannot process the request because of server-defined restrictions. This error is returned for the following reasons:
The add entry request violates the LDAP Server's structure rules
The modify attribute request specifies attributes that users cannot modify
Password restrictions prevent the action
Connection restrictions prevent the action
Solution
This error is typically caused by attempting to make changes to a read-only directory. There can be several reasons the directory is read-only:
The directory has been configured as a read-only directory
The bind account may not have permissions to make changes on the server
The server may impose additional restrictions. For example, Active Directory may require a secure connection to allow changes
Active Directory Error 49
When Error 49 is encountered, check the error message for a specific error message in the Data attribute of the error message. This TechNet article has more information about how to configure user account settings in Active Directory.
Code | Description | Resolution |
|---|---|---|
Data 525 | The user could not be found | Ensure the correct username has been specified for the bind account. |
Data 52e | The credentials (username and password) are invalid | Ensure the credentials are correct, and that the correct server is being used. See more details at the KB, Users are unable to log in to Confluence (LDAP: error code 49, data 52e) |
Data 530 | The user is not permitted to login at this time | Remove any Log on Hours from the user's "Account" tab in Active Directory |
Data 531 | The user is not permitted to login at this workstation | Allow the application server as a permitted logon workstation from the user's "Account" tab in Active Directory. |
Data 532 | The user's password has expired | Reset the user's password. If necessary, update your application(s) with the new password. |
Data 533 | The user's account has been disabled | Enable the user account in Active Directory |
Data 57 | The user's account connect from JIRA to the Active Directory is having an authorization issue | The user is either removed or has its password changed from the AD side. Test login with the user account to the AD server and able to view all the users' memberships attribute with the correct password. Verify that the user account can navigate to the LDAP base DN and view all the user and group attributes. Encryption file issue as the crypto file might be missing or lacking filesystem permissions and causing the transaction to be sending the wrong authorization data as per the encryption. |
Data 701 | The user's account has expired | Ensure that "Never" is set as the account expiration option in Active Directory |
Data 773 | The user account must have its password reset | Reset the user's password. If necessary, update your application(s) with the new password. |
Data 775 | The user account is locked | Unlock the user account from the user's "Account" tab in Active Directory |
PKIX Path Building Failed while connecting to Secure LDAP (LDAPS)
This error is caused by using a secure LDAP connection - however, your application does not trust the certificate presented by your LDAP server. To resolve this, the certificate must be imported to your application's trust store. Please see Unable to Connect to SSL Services knowledge base article for more information. For product specific advice, please see the Connecting to SSL Services KB document.
Was this helpful?